CMMC enforcement begins after eight years of warnings

The defense industry has had nearly a decade of warnings, but today (Monday, Nov. 10) marks the day that companies need to start complying with the government’s standards around how they protect controlled unclassified information.

Of course, they should have been complying with the National Institute of Standards & Technology’s SP 800-171 standard for the last eight years. But now the Cybersecurity Maturity Model Certification program begins in earnest.

Defense agencies will start requiring at least a Level 1 certification on new contracts. Level 1 requires self-certification for 15 controls that are part of 800-171. These cover basic cyber hygiene.

One year from today (Nov. 10, 2026), DOD will step things up by requiring Level 2 certification. This requires a third-party assessment of compliance with all 110 controls in the standard.

Then in the following year (Nov. 10, 2027), contracting officers can start requiring Level 3. This requires a higher level of certification, often involving an assessment by the Defense Industrial Base Cybersecurity Assessment Center.

The Defense Department and cybersecurity observers began talking about the need to certify compliance with the NIST standard in 2017. CMMC got its start during the first Trump administration, then DOD continued to refine it and issue draft rules through the Biden administration.

“There is no excuse for industry to not be ready,” said Matthew Stern, chief security officer with Hypori, a mobile security provider.

But there do seem to be different levels of preparedness. There still seems to be two schools of thought when it comes to CMMC.

Nov. 10 is either a formalization of what companies should have been already, or “you think it’s a myth and it’s never going to happen,” said Michael Greenman, senior manager of cloud solutions with Deltek. “I’ve talked with both kinds of people.”

Greenman said he gave presentation that included the regulations, legal citations and other key language.

“Here’s where its codified, here’s all this stuff, and then the guy’s like, ‘I just don’t think its going to happen,’” Greenman said.

Given that the first year is primarily self-certification, companies still have time to get their third-party assessments completed before Level 2 kicks in November 2026.

But self-attestation is not a free pass. Companies that falsify their attestations face consequences under the False Claims Act, including civil and potentially criminal penalties.

The Justice Department’s Civil Cyber Fraud Initiative also applies, meaning whistleblowers — including competitors — can report false certifications and receive financial rewards for doing so.

For Level 2, the question is whether there will be enough third-party assessment organizations in place to evaluate as many as 70,000 contractors who will need the higher certification. Only about 450 currently have the certification.

Current estimates indicate there are about 85 3PAOs in place. The Cyber AB is a private sector organization chartered by DOD to manage the certification and approval of the assessors.

Officials at the Cyber AB did not respond to requests for comments on the number of 3PAOs in place or organizations in the pipeline awaiting approval to operate as an assessor.

Cyber AB holds a monthly town hall and they have reported that there is a backlog of people waiting for their background checks to become certified CMMC assessors. Once that backlog is addressed the number of 3PAOs should increase.

But the issue of limited access to assessors only emphasizes why defense contractors should already be well along their compliance journey.

CMMC marks a shift in how DOD will enforce cybersecurity compliance as it is not really a regulatory or enforcement type of process, Greenman and Stern said.

They said it is better to think of CMMC as market driven enforcement. Under the old enforcement regime, companies were self-certified but were then open to inspections and audits by DOD after the contract was awarded.

With CMMC, you have to have your certification before DOD can award the contract.

“Oh, you want to win this contract and all the money. Let me check and see your CMMC score. You don’t have one, so I can’t award you the contracts. That’s the rule. Sorry,” Greenman said. “It’s as simple as that. It’s a market-driven enforcement.”

In other words, you need to have the CMMC certification in order to do business with DOD.

Achieving a Level 2 or 3 certification is not a competitive advantage, Stern said.

“It’s past that. It’s table stakes,” Stern added. “If you aren’t prepared for Level 2 and you’re protecting CUI data, you won’t be able to bid on the contract again. You’ll be on the outside looking in.”